Active Directory - Clone a Domain Controller in Windows Server 2012 with Hyper-V (VM-GenerationID)

아티클
1/17/2024

Introduction : VM-GenerationID

One of the obvious reasons for virtualization is the independence of virtual machines from hardware. It is very simple to clone a Virtual Machine (VM) in a virtualized infrastructure.

But can we clone any VM?

It’s not easy to answer this question. The smart answer, as usual, would be: "It depends".

Before the 2012 version of Windows Server, cloning a VM hosting AD DS (Active Directory Domain Services) was forbidden. Indeed, cloning or restoring a Domain Controller could cause a "USN rollback".

One of the major benefits introduced in Microsoft Windows 2012 Server is the VM-GenerationID.

The ID is an identifier encoded in 128 bits and provided by the hypervisor through a specific driver.

You can check inside a VM if you’ll be able to clone a Domain Controller. Let’s explore the device manager of a VM hosted by Hyper-V hypervisor running on a Windows 8 machine. You can see below how this test lab was created.

If you see the device "Microsoft Hyper-V Generation Counter", your hypervisor will be able to manage the VM-GenerationID and you will be able to clone a Domain Controller.

http://3.bp.blogspot.com/-pOOVdILYbno/UQT6Kd-cJyI/AAAAAAAAArs/yTOiZBDMjqw/s1600/deviceManagerGenerationCounter.png

The VM-GenerationID is generated and stored on the Domain Controller as an attribute of the Active Directory database. This attribute is not replicated.

The VM-GenerationID is recorded in the Active Directory database NTDS.dit as the attribute msDS-GenerationID.

You can see it by logging on the DC you want to check and display its attributes. You can easily do this via ADUC or ADAC.

http://2.bp.blogspot.com/-V9zmjQsl0b0/UQT8ntNl9MI/AAAAAAAAAsM/Ux_ddmrPvok/s1600/msDS-GenerationID.png

1) Prerequisites

For it to be cloned a DC should meet the following prerequisites:

As mentioned above, your hypervisor must support VM-GenerationID. It is the case with Hyper-V running on Windows 8 and on Windows Server 2012
The DC source must be running on Windows Server 2012
The DC source cannot host the PDC emulator role. In addition, the DC which hosts this role must be available and must be running on Windows Server 2012

However, you must have at least two DCs in your infrastructure to begin cloning a DC.

2) Prepare the source DC

To clone a DC, the first thing you will have to do is prepare it to be cloned. The first step is to add your source DC to the security group "Cloneable Domain Controllers". You have several options to do this.

The first with the ADAC or even ADUC.

http://2.bp.blogspot.com/-z0R_1iE8C1g/UQUAwbdal9I/AAAAAAAAAs4/kSFMgdAFWyw/s1600/1_addTOGroupADAC.png

http://1.bp.blogspot.com/-RCnInF8fI10/UQUAwFQcHZI/AAAAAAAAAss/SXZ71c9mx34/s1600/1_addTOGroup.png

http://2.bp.blogspot.com/-Lx6Hkj3WEMQ/UQUAwTPBirI/AAAAAAAAAsw/MEjQqbuUe1k/s1600/2_cloneableDC.png

http://4.bp.blogspot.com/-6UHIqwbJVHg/UQUAwntlFrI/AAAAAAAAAs8/P9TuKo0V-tA/s1600/3_added.png

The second way is to do it via PowerShell.

 Add-ADGroupMember "Cloneable Domain Controllers" "CN=DC02,OU=Domain Controllers,DC=LABO,DC=COM"

OK, our source DC is now a member of the security group "Cloneable Domain Controllers". Let’s continue preparing it.

TechNet tells us that we need to launch the first command before starting the cloning process. Indeed, we need to determine what programs and services are not present on the default supported list "DefaultDCCloneAllowList.xml" or a user-defined inclusion list named "CustomDCCloneAllowList.xml" and therefore not supported by the cloning process because it has not been evaluated for cloning impact.

 Get-ADDCCloningExcludedApplicationList

http://1.bp.blogspot.com/-O9FnROkMkbI/UQUD8rRMKvI/AAAAAAAAAts/p8ekL2mxZfA/s1600/21_getADDCCLoningExcludedApplicationList.png

The result of the command is pretty clear in this case: "No excluded applications were detected". At this stage, we can proceed; however, in some cases, you need to run the second command to generate your own .xml file containing the list of applications or services you want to add (because supported).

Here is an example (launched on a lab test running ESXi 5.1).

http://4.bp.blogspot.com/-cUqUFaDX7cQ/UQUDy6QuQOI/AAAAAAAAAtk/M2V8qeNLEds/s1600/4_listExcluded.png

We type the second command to generate the .xml file.

 Get-ADDCCloningExcludedApplicationList -GenerateXml

http://1.bp.blogspot.com/-nGcis93Fgpc/UQUEbDh6kqI/AAAAAAAAAt4/AGTcLSgnqdI/s1600/5_generatedXML.png

We can find the generated .xml file "CustomDCCloneAllowList.xml" in "C:\Windows\NTDS\".

http://3.bp.blogspot.com/-82LoLYvZkGU/UQUEa2D6-4I/AAAAAAAAAt0/0XrXJbf2OSg/s1600/6_XML.png

To complete the warm-up, we have to launch one last command:

 New-ADDCCloneConfigFile -Static -IPv4Address "192.168.1.12" -IPv4DNSResolver "192.168.1.10" -IPv4SubnetMask "255.255.255.0" -CloneComputerName "DC03" -IPv4DefaultGateway "192.168.1.1" -SiteName "Default-First-Site-Name"

http://1.bp.blogspot.com/-VRlJTy3eZhI/UQUGUPiH3TI/AAAAAAAAAuk/Y5zho4imTsc/s1600/22_NewADDCCloneConfigFile.png

This command will generate a new .xml file: "DCCloneConfig.xml". By entering this command, we have specified the future cloned DC name and its network configuration.

http://3.bp.blogspot.com/-AyqqV6287D4/UQUHZEecIMI/AAAAAAAAAuw/Iwu_mhcCvEM/s1600/Untitled.png

The cloned DC must be on the same site.

Let's edit the configuration file of the DC02 virtual machine:

http://2.bp.blogspot.com/-Yur6okzOhrs/UQUJf-ErYyI/AAAAAAAAAv8/vV9-VhiiyvU/s1600/generationIDDC02a.png

We find the number "genreration_id" with this hexadecimal value : "5683b796635a6015936e3117daa5b751".

http://4.bp.blogspot.com/-JMrDO29K0i4/UQUJV64q8BI/AAAAAAAAAvk/pFI9oLQuSjI/s1600/generationIDDC02.png

The value for the msDS-GenerationId attribute is 51 B7 A5 DA 17 31 6E 93. By inverting the value found in the xml file of the virtual machine, same value is found: 936e3117daa5b751 -> 51b7a5da17316e93

http://1.bp.blogspot.com/-MzAMXPrUSKQ/UQUJWNTqqFI/AAAAAAAAAvo/AzcLji70T8w/s1600/generationIDDC02b.png

3) Export of the prepared VM and import in the new VM

Shut down the DC **DC02 **we just prepared.

http://3.bp.blogspot.com/-EEbi0Ff6nP0/UQULDG-R_1I/AAAAAAAAAwg/Gyglw8gbmpo/s1600/23_shutdownDC.png

In Hyper-V, select the VM to export (DC02 in this case) and choose the option "Export..."

http://1.bp.blogspot.com/-IT3yRqNl--s/UQULTk-Y49I/AAAAAAAAAw4/JmilhSP8GQg/s1600/24_ExportDC.png

Then, simply specify where you want to export your VM.

http://4.bp.blogspot.com/-buz581eqmNQ/UQULS3XM0SI/AAAAAAAAAwo/Q9-sB2vbiaE/s1600/25_specifyWhere.png

Created, for this lab, an Export folder under the folder Labo on G:\ disk which is, actually, a virtual disk hosted by a Synology NAS.

http://4.bp.blogspot.com/-pUpv0wfAWEA/UQULTJI9JdI/AAAAAAAAAws/_mPXvJI4dz0/s1600/26_selectFolder.png

http://2.bp.blogspot.com/-3ZIJhO8o16w/UQULTmdMwFI/AAAAAAAAAw8/0PzPjSVCRx4/s1600/27_exportVM.png

Let the export finish.

http://3.bp.blogspot.com/-b9s2SddOUJM/UQULUHK7qUI/AAAAAAAAAxI/_ANF0NFcDRM/s1600/28_exportedStructure.png

A .vhdx has been exported.

http://4.bp.blogspot.com/-wixic0bWxnY/UQULUTjXgqI/AAAAAAAAAxE/840KqoYw7HE/s1600/29_vhdx.png

And the .xml configuration file.

http://1.bp.blogspot.com/-BKVo2ZNlvcU/UQUMK4da4_I/AAAAAAAAAxk/XIsZwW1Oikc/s1600/30_xml.png

Now let’s move on to the import step. Select your node and "Import Virtual Machine...".

http://2.bp.blogspot.com/-zSJz1KMbhc0/UQUMj1d40eI/AAAAAAAAAyQ/IpgIbuSZPfM/s1600/32_importVM.png

The import process is very simple "Next >"

http://2.bp.blogspot.com/-GFib7dz26-k/UQUMj4U7wAI/AAAAAAAAAyE/oWEn7Bv-zek/s1600/33_step1.png

"Browse".

http://4.bp.blogspot.com/-zIasYdhzqqU/UQUMj6FE2ZI/AAAAAAAAAyI/JURV4geEQj8/s1600/34_locateFolder.png

Select the cloned VM root folder, here, for the example DC02.

http://4.bp.blogspot.com/-7MXpvHFJbzI/UQUMkUwO7MI/AAAAAAAAAyM/Mj7M3ddEZyg/s1600/35_selectFolder.png

"Next >".

http://4.bp.blogspot.com/-JPjSw0DH83E/UQUMknx55DI/AAAAAAAAAyU/iVTOJUfbtDc/s1600/36_locatedFolder.png

Hyper-V detect a VM and "Next >" ;-)

http://3.bp.blogspot.com/-r1CkFCK--tQ/UQUMk6hjPMI/AAAAAAAAAyo/t4USiihCy4w/s1600/37_selectVM.png

We want Hyper-V to create a new unique ID "Next >".

http://2.bp.blogspot.com/-OBNDuKCJrXE/UQUMk5HkhFI/AAAAAAAAAyg/8Tvx_i-CcAQ/s1600/38_chooseImportType.png

Store the VM where you want "Next >"

http://2.bp.blogspot.com/-dQS82ZZNMUU/UQUMlDM-EnI/AAAAAAAAAyk/7FS89duie5E/s1600/39_chooseFolderForVM.png

Store the .vhdx. "Next >"

http://2.bp.blogspot.com/-dZEcCoFNC1Y/UQUMl60PExI/AAAAAAAAAy8/xcG9JKy_TN4/s1600/40_chooseFoldersToStoreVHDx.png

Done! Check the review of the import and click on "Finish".

http://4.bp.blogspot.com/-xEI0iakSU5g/UQUMmER56rI/AAAAAAAAAyw/KCQIeYm55rs/s1600/41_completingImport.png

Hyper-V begins the import process.

http://3.bp.blogspot.com/-4Ka-knNQvFw/UQUMmCeb5hI/AAAAAAAAAy0/A77arU9kWNE/s1600/42_copying.png

Once the import is complete, if you edit the .xml configuration file of the imported VM, you can notice that the generation_id field has been modified.

DC02 .xml

http://4.bp.blogspot.com/-JMrDO29K0i4/UQUJV64q8BI/AAAAAAAAAvk/pFI9oLQuSjI/s1600/generationIDDC02.png

DC03 (imported VM) .xml

http://1.bp.blogspot.com/-swleylZTOgA/UQUMmUW2RfI/AAAAAAAAAzE/RKP1vBCyvh4/s1600/43_newGenerationID.png

Rename the VM. Right click on the imported VM and click on "Rename..."

http://2.bp.blogspot.com/-IlCjFj3TjsA/UQUMms4PbnI/AAAAAAAAAzA/p0TKb2deYn0/s1600/44_renameNewVM.png

It's done! Start DC02 and then DC03.

http://3.bp.blogspot.com/-Md_AF0ZtKHk/UQUMmtqv9SI/AAAAAAAAAzM/EyuxNSoPc10/s1600/45_VMRenamed.png

Initiating of DC03...

http://3.bp.blogspot.com/-7ss8QTMnh8Y/UQUNx0F1aDI/AAAAAAAAA04/5Og-y_hXt-Q/s1600/46.png

The DC found out it was a clone, so it starts the cloning process.

http://4.bp.blogspot.com/-Stu7lBUFArI/UQUNxxhXtKI/AAAAAAAAA08/nFRXDK-UZu4/s1600/48.png

DC03 restarts once.

http://4.bp.blogspot.com/-HU88VezWc0Y/UQUNxy_xp4I/AAAAAAAAA1E/sdEUBqTBOL4/s1600/49.png

Check the Sites and Services console. You can see the new DC.

http://2.bp.blogspot.com/-c3s8UnR4HSw/UQUMrm5EAEI/AAAAAAAAAz8/gOzKwozkqbw/s1600/50_sitesAndServices.png

Also located in ADUC and ADAC.

http://1.bp.blogspot.com/-PaSeQfcyOIc/UQUMsBI5n9I/AAAAAAAAA0M/Aat6mlSHTLo/s1600/52_ADUC.png

http://3.bp.blogspot.com/-DRyysyHRDPg/UQUMsnbD7cI/AAAAAAAAA0g/yyUuDr1btUk/s1600/53_ADAC.png

If the properties of DC03 (DC resulting from cloning) are edited, you will see that the VM-GenerationID is different from the source DC DC02.

http://4.bp.blogspot.com/-AtnFNT1n0Lc/UQUVzvZYunI/AAAAAAAAA2M/MlQ_VhZRsaU/s1600/54_newmsDS-GenerationID.png

4) Detailed cloning process

Technet explains exactly what happens during the cloning process. Here is the diagram published by Microsoft describing it.

http://4.bp.blogspot.com/-hPeZ1bJJRpM/UQUWmUvaqxI/AAAAAAAAA2U/jgCu0hdp_5M/s1600/IC629661.gif

5) Cloning went wrong ?

If your cloning goes wrong, the source DC will restart in Directory Service Restore Mode (DSRM). You need to login locally and remove the flag for DSRM mode. Then clone and restart after -obviously- correcting the error that prevented you from properly cloning the source DC.

There are two ways to do this:

a) Via Msconfig

http://4.bp.blogspot.com/-tUpWsEznwnw/UQUYe9P57wI/AAAAAAAAA28/PlMrYBW1n3U/s1600/55_DSRM.png

http://3.bp.blogspot.com/-rgQFAYVRX8w/UQUYhDajR-I/AAAAAAAAA3E/okiIv2Cby74/s1600/56_DSRM.png

b) If you are in CORE Edition, via the command shell